Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method for defending an attack from the execution of shellcode, comprising: duplicating elements within a dynamically linked library (dll), wherein the dll resides in a first memory space; redirecting the duplicated elements into a second memory space; establishing a protection attribute for the elements within the second memory space; modifying one or more links to point to elements within the second memory space instead of elements within the first memory space; determining a location of execution code attempting to access the elements within the second memory space; and preventing the execution code from executing based on the determined location.
2. The method of claim 1 , wherein the dll comprises a kernel32.dll.
3. The method of claim 1 , wherein the determined location of the execution code indicates the code is running on a heap memory allocation.
4. The method of claim 1 , wherein the determined location of the execution code indicates the code is running on a stack memory allocation.
5. The method of claim 1 , further comprising allowing the executing code to execute if the determined location indicates the code is not running on a heap or stack memory allocation.
6. The method of claim 1 , wherein the modified links point to an InLoadOrderModuleList, an InMemoryOrderModuleList, and an In InitializationOrderModuleList.
7. The method of claim 1 , wherein the protection attribute comprises a PAGE_GUARD|PAGE_EXECUTE_READWRITE attribute.
8. The method of claim 1 , further comprising establishing an exception handler to identify an exception raised by the protection attribute for elements within the second memory space.
9. The method of claim 8 , further comprising using the exception handler to determine the location of the execution code attempting to access the elements within the second memory space.
10. A computer system configured to defend an attack caused by the execution of shellcode, comprising: a processor; memory in electronic communication with the processor; instructions stored in the memory, the instructions being executable by the processor to: duplicate elements within a dynamically linked library (dll), wherein the dll resides in a first memory space; redirect the duplicated elements into a second memory space; establish a protection attribute for the elements within the second memory space; modify one or more links to point to elements within the second memory space instead of elements within the first memory space; determine a location of execution code attempting to access the elements within the second memory space; and prevent the execution code from executing based on the determined location.
11. The computer system of claim 10 , wherein the dll comprises a kernel32.dll.
12. The computer system of claim 10 , wherein the determined location of the execution code indicates the code is running on a heap memory allocation.
13. The computer system of claim 10 , wherein the determined location of the execution code indicates the code is running on a stack memory allocation.
14. The computer system of claim 10 , wherein the instructions are executable by the processor to: allow the executing code to execute if the determined location indicates the code is not running on a heap or stack memory allocation.
15. The computer system of claim 10 , wherein the modified links point to an InLoadOrderModuleList, an InMemoryOrderModuleList, and an In InitializationOrderModuleList.
16. The computer system of claim 10 , wherein the protection attribute comprises a PAGE_GUARD|PAGE_EXECUTE_READWRITE attribute.
17. The computer system of claim 10 , wherein the instructions are executable by the processor to establish an exception handler to identify an exception raised by the protection attribute for elements within the second memory space.
18. A computer-program product for defending an attack from the execution of shellcode, the computer-program product comprising a non-transitory computer-readable medium storing instructions thereon, the instructions being executable by a processor to: duplicate elements within a dynamically linked library (dll), wherein the dll resides in a first memory space; redirect the duplicated elements into a second memory space; establish a protection attribute for the elements within the second memory space; modify one or more links to point to elements within the second memory space instead of elements within the first memory space determine a location of execution code attempting to access the elements within the second memory space; and prevent the execution code from executing based on the determined location.
Unknown
September 17, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.